[Moderator: I think I will leave this one alone...]
Forwarded From: krys <krys@gekko.net>
>From CNN:
First-Ever Insurance Against Hackers
Reuters
14-JUN-98
By Therese Poletti
SAN FRANCISCO, June 4 (Reuters) - A computer security firm is so certain
of its security prowess that it is offering to protect its customers with
the first-ever hacker insurance, in the event a customer is successfully
invaded by hackers.
ICSA Inc., the International Computer Security Association, is now
offering as part of its TruSecure service, insurance against hacker
attacks. ISCA will pay up to $250,000 if a customer's network is hacked
into, after it has followed the TruSecure criteria.
``This is the first hacker-related insurance,'' said Peter Tibbett,
president of the ICSA, based in Carlisle, Penn. ``It puts our money where
our mouth is.''
ICSA sells its TruSecure service for $40,000 a year. The service, which it
has been offering for several years, is a series of steps, methods and
procedures that an ICSA client must adhere to. Some steps are simple,
common sense procedures, such as having the server which hosts your
company's Web site inside a locked room.
Other steps are more complicated, such as the requirement to have a secure
firewall around an internal network.
But the ICSA does not sell products. Instead, it recommends a whole range
of software that it has approved as secure and meets its standards,
through open meetings and debates, with all its members, many of whom
develop security products.
Then, ICSA tests a client's security by using typical hacker methods,
through its 100 or so employees, none of whom are reformed hackers.
ICSA believes, along with executives at International Business Machines
Corp. who perform ``ethical'' hacking on its customers, that there is no
such thing as a reformed hacker.
``We spray them with hacker tools and see where their vulnerabilities
are,'' Tibbett said, referring to many of the widely-used hacker programs
that are available over the Internet or shared among hackers. ``The
average site took about two weeks to get to the place where they meet all
our requirements.''
After ICSA completes a six-step process to test and improve
a company's security, the customer is deemed secure and will then
receive insurance.
The ICSA said it will pay its customers if they fall prey to a hacker,
even if they are not financially harmed from the attack.
``Whether you lose money or not, we will pay,'' Tibbett said. ''We believe
that we reduce the risk dramatically ... Yes, we expect to write
some checks, but we don't expect to write very many.''
Tibbett likens the ICSA to the Center for Disease Control, because it
tracks all hacker attacks and tests every hacker tool and virus its
progammers can find. The ICSA also is known for its emergency response
center, which tracks the fallout from known computer viruses and helps
companies in a crisis.
``Good enough is never going to be perfect,'' Tibbett said. ''But we have
a motivation to improve our service. If we have to write a check when
someone gets hacked, it gives us another emphasis.''
The company said it is partnering with major nationwide insurance carriers
who recognize the ICSA TruSecure certification as a requirement for hacker
policies.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Mon Jun 15 20:55:03 1998